GIACC.ISO 37001.BRIEFING NOTE.DEC 2016ISO 37001 Anti-Bribery Management Systems StandardBriefing Note1.What is ISO 37001?ISO 37001 is an anti-bribery management system (ABMS) standard for organizations. It specifiesvarious anti-bribery policies and procedures which an organization should implement to assist itprevent bribery, and identify and deal with any bribery which does occur.It is published by the International Organization for Standardization (ISO), which is an independent,non-governmental international organization which develops and publishes International Standards. Itis based in Geneva, and is made up of the national standards bodies from 162 member countries.2.Who can use ISO 37001?ISO 37001 is designed to be used by small, medium and large organizations in the public, private andvoluntary sectors. It can be used by such a wide range of organizations because the standard isdesigned to be a flexible tool, which can be adapted according to the size and nature of theorganization and the bribery risk it faces.3.In which countries can ISO 37001 be used?ISO 37001 can be used in any country. It is designed to aid compliance by the organization both withinternational good practice and with the relevant anti-bribery legal requirements in all countries inwhich the organization operates.4.How was ISO 37001 developed?ISO 37001 was developed by a Project Committee established by ISO in 2013. The committeecomprised experts from the following participating and observing countries and liaison organizations. Participating countries (37): Australia, Austria, Brazil, Cameroon, Canada, China, Colombia,Croatia, Czech Republic, Denmark, Ecuador, Egypt, France, Germany, Guatemala, India, Iraq, Israel,Kenya, Lebanon, Malaysia, Mauritius, Mexico, Morocco, Nigeria, Norway, Pakistan, Saudi Arabia,Serbia, Singapore, Spain, Sweden, Switzerland, Tunisia, UK, USA, Zambia. Observing countries (22): Argentina, Armenia, Bulgaria, Chile, Cyprus, Cote d’Ivoire, Finland, HongKong, Hungary, Italy, Japan, Korea, Lithuania, Macau, Mongolia, Netherlands, New Zealand, Poland,Portugal, Russia, Thailand, Uruguay.1
GIACC.ISO 37001.BRIEFING NOTE.DEC 2016 Liaison organizations (8): ASIS, European Construction Industry Federation (FIEC), IndependentInternational Organization for Certification (IIOC), International Federation of Consulting Engineers(FIDIC), IQNet, Organization for Economic Co-operation and Development (OECD), TransparencyInternational (TI), World Federation of Engineering Organizations (WFEO). Committee Secretariat and Chair: British Standards Institution (BSI).The draft standard was circulated for international comment, and was modified at six internationaldrafting meetings over three years to take account of international comments. Over 120 experts fromover 20 countries participated in these meetings, which were held in London, Madrid, Miami, Paris,Kuala Lumpur and Mexico City. Decisions on the text were made by consensus of participatingcountries. ISO 37001 was published on 15th October 2016.5.What are the potential consequences if an organization gets involved in bribery?From an organization’s perspective, there are many potential adverse consequences if it gets involvedin bribery, and which therefore justify the organization taking adequate steps to prevent bribery inrelation to the organization’s activities.a)Ethical factors: From an international and national perspective, bribery is now widely regarded asunethical and unacceptable. It is one of the greatest obstacles to good government and thedevelopment of safe and adequate infrastructure. Funds which could be used for schools, roads,hospitals etc. are diverted by corrupt people for their private use. Safety and environmentalprocedures can be corruptly avoided, resulting in dangerous infrastructure and living conditions.Ethical organizations which are unwilling to bribe lose work to unethical organizations, which isunfair on ethical organizations, and may provide lower quality and higher cost solutions.b)Legal risk: The international and national legal environment is rapidly changing, reflecting theincreasing desire of people worldwide to prevent bribery.i)Many international treaties have been signed during the last 20 years requiring memberstates to implement anti-bribery laws and procedures. The most internationally significant ofthese are the United Nations Convention against Corruption (2003) and the OECD Conventionon Combating Bribery (1999).ii)Most countries have changed their laws in accordance with treaty requirements. Bribery andother corruption offences are therefore crimes worldwide. All OECD countries have nowmade it a crime for their nationals and organizations to bribe overseas. As a result, a personor organization may be liable for bribery both in the country where the bribery took place,and in the person or organization’s home country.iii)Individuals and organizations can be held liable for bribery under both criminal law and civillaw. The type and extent of liability will depend on the laws of each country. Criminal laws can result in fines and imprisonment for individuals, and fines anddebarment for organizations. Prosecution agencies in many countries are now starting toinvestigate and prosecute organizations and individuals for bribery. There have beenmany recent major cases. An organization may also incur criminal liability in severaljurisdictions as result of new laws passed which make the organization responsible forbribes paid on its behalf or for its benefit by joint venture partners, suppliers, contractorsetc. It may be a defence or mitigate liability in some cases for the organization to showthat it had implemented effective controls designed to prevent the relevant act ofbribery.2
GIACC.ISO 37001.BRIEFING NOTE.DEC 2016 Civil laws can result in contracts being terminated in the event of bribery, and individualsand organizations being required to pay compensation to parties affected by the bribery.c) Safety and quality risk: From an organization’s perspective, bribery can adversely impact on itssafety and quality management. A bribe paid by the organization’s sub-contractor to theorganization’s site supervisor to overlook poor safety management on site can result in death orpersonal injury. A bribe paid by a supplier to the organization’s procurement manager can result inthe organization buying poor quality products which need repair or replacing. Therefore, effectivesafety and quality management also requires effective anti-bribery controls.d)Financial risk: Involvement in bribery can result in financial risk to the organization: Fines levied by prosecutors or regulators. Compensation paid to other parties affected by the bribery. The internal management costs and external legal costs of investigating and dealing with thebribery and any consequent legal actions. The costs of dealing with claims for death or personal injury resulting from bribery. The costs of purchasing products which are over-expensive due to bribery, or of rectifyingdefective products.e)6.Reputational risk: Involvement in bribery can result in reputational risk for an organization and itsemployees. The press frequently carries articles on individuals and organizations implicated in orbeing prosecuted for bribery. An individual implicated in bribery may be unable to obtainemployment. Customers may be unwilling to do business with an organization implicated inbribery. Ethical employees may be unwilling to work for an organization which is believed to beunethical.How can ISO 37001 benefit an organization?As stated in paragraph 5, bribery can have very serious adverse consequences for an organization andfor its employees. It is therefore in the interests of an organization and all its employees to takereasonable and proportionate steps to prevent bribery occurring. It is normally far cheaper and lessdisruptive for an organization to implement controls to prevent bribery from occurring than to dealwith the consequences if bribery does occur. ISO 37001 can benefit an organization in the followingways.a)By specifying necessary policies and procedures, ISO 37001 assists an organization inimplementing an ABMS, or in enhancing its existing controls. An ISO 37001 compliant ABMS canhelp prevent bribery occurring, and can significantly reduce its impact if it does occur.b)It helps provide assurance to the management and owners of an organization that theirorganization has implemented internationally recognised good practice anti-bribery controls, andis therefore taking steps to reduce risk and any adverse consequences.c)It helps the organization provide assurance to its customers, business associates and personnelthat it has implemented internationally recognised good practice anti-bribery controls, andtherefore assists the organization in obtaining work, recruiting good personnel and enhancing itsreputation.d)Organizations may require their major contractors, suppliers and consultants to provide evidenceof compliance with ISO 37001 as part of their pre-qualification or supply chain approval process3
GIACC.ISO 37001.BRIEFING NOTE.DEC 2016(on a similar basis to their requiring evidence of compliance with ISO 9001 (quality management)etc.).e)In the event of a bribery investigation which involves the organization, it helps provide evidence tothe prosecutors or courts that the organization had taken reasonable steps to prevent bribery. Itcan therefore help avoid a prosecution, or mitigate the outcome.Well-managed ethical organizations are likely to implement effective anti-bribery policies andprocedures in their organizations in the same way that they would implement effective quality,environmental and safety policies and procedures. Many organizations are also likely to obtainindependent certification to ISO 37001 in a similar way to obtaining certification to ISO 9001, ISO14001 and OHSAS 18001.7.What does “management system” mean?A management system is a set of policies and procedures which can be implemented by theorganization to help it control a specific risk or to help produce a specific outcome. An organizationcannot for example achieve a safe working environment, or good quality products, simply by requiringthis to happen. It has to implement a series of policies and procedures which are designed to achievethis outcome. On a similar basis, bribery prevention is increasingly being seen as a management issue(i.e. something which the organization needs to control through good management practices).8.Will the organization have to implement a totally new stand-alone management system to controlbribery risk?No. The measures required by ISO 37001 are designed to be integrated into the organization’s existingmanagement structure and controls. Many of the required measures will be those which theorganization has already implemented. Where a new or enhanced measure is required, this can beintegrated into the organization’s existing structure and systems.9.Will ISO 37001 impose an unnecessarily heavy bureaucracy on an organization?ISO 37001 should not impose an unnecessarily heavy bureaucracy on an organization. The standardspecifically states that the required anti-bribery policies and procedures should be implemented in amanner which is reasonable and proportionate to a number of relevant factors, such as the size andstructure of the organization, the locations and sectors in which the organization operates, the nature,scale and complexity of the organization's activities, and the bribery risk which the organization faces.10.Does ISO 37001 address all types of corruption?No. ISO 37001 only addresses bribery, and does not address fraud, cartels, money-laundering or othercriminal activities (although an organization may choose to extend the scope of its compliancemanagement system to include such activities).11.How is bribery defined in ISO 37001?As different legal systems define bribery differently, ISO 37001 does not provide a strict definition ofbribery. It provides a guidance definition to help users understand the intention and scope of thestandard. The standard requires the organization to take account of the applicable legal definition ofbribery in the countries in which it is operating, and to take steps to ensure that its managementcontrols are appropriate to prevent bribery as defined in those jurisdictions.4
GIACC.ISO 37001.BRIEFING NOTE.DEC 201612.What types of bribery does ISO 37001 aim to help prevent?ISO 37001 aims to help prevent: Bribery by the organization, and by the organization’s personnel or business associates acting onthe organization's behalf or for its benefit. Bribery of the organization, or of the organization’s personnel or business associates in relation tothe organization’s activities.(Business associate includes parties with which the organization has a business relationship, e.g.customers, joint venture partners, consultants, sub-contractors, suppliers, agents.)13.Does ISO 37001 exempt small bribes and facilitation payments?No. ISO 37001 requires the organization to prohibit all types of bribes, large and small, includingfacilitation payments.14.What are the types of anti-bribery measure required by ISO 37001?ISO 37001 requires the organization to implement, in a reasonable and proportionate manner, a seriesof measures which are designed to help the organization prevent, detect and deal with bribery. Thefollowing summarises the key measures:a) Implement an anti-bribery policy and supporting anti-bribery procedures (the ABMS). Theseprocedures are the ones listed in b) to w) below.b) Ensure that the organization’s top management has overall responsibility for the implementationand effectiveness of the anti-bribery policy and ABMS, and provides the appropriate commitmentand leadership in this regard.c) Ensure that responsibilities for ensuring compliance with the anti-bribery policy and ABMS areeffectively allocated and communicated throughout the organization. For example: department heads will be responsible for compliance within their departments; all personnel will be responsible for their personal compliance.d) Appoint a person(s) with responsibility for overseeing anti-bribery compliance by the organization(compliance function). This person(s) can be full-time or part-time, depending on the size oforganization, and can combine this responsibility with other responsibilities.e) Ensure that controls are in place over the making of decisions in relation to more than low briberyrisk transactions. The decision process and the level of authority of the decision-maker(s) must beappropriate to the level of bribery risk and be free of actual or potential conflicts of interest.f)Ensure that resources (personnel, equipment and financial) are made available as necessary for theeffective implementation of the ABMS.g) Implement appropriate vetting and controls over the organization’s personnel designed to ensurethat they are competent, and will comply with the anti-bribery policy and ABMS, and can bedisciplined if they do not comply.h) Provide appropriate anti-bribery training and/or guidance to personnel on the anti-bribery policyand ABMS.5
GIACC.ISO 37001.BRIEFING NOTE.DEC 2016i)Produce and retain appropriate documentation in relation to the design and implementation of theanti-bribery policy and ABMS.j)Undertake periodic bribery risk assessments and appropriate due diligence on transactions andbusiness associates.k) Implement appropriate financial controls to reduce bribery risk (e.g. two signatures on payments,restricting use of cash, etc.).l)Implement appropriate procurement, commercial and other non-financial controls to reducebribery risk (e.g. separation of functions, two signatures on work approvals, etc.).m) Ensure that all other organizations over which it has control implement anti-bribery measureswhich are reasonable and proportionate to the nature and extent of bribery risks which thecontrolled organization faces.n) Require, where it is practicable to do so, and would help mitigate the bribery risk, any businessassociate which poses more than a low bribery risk to the organization to implement anti-briberycontrols which manage the relevant bribery risk.o) Ensure, where practicable, that appropriate anti-bribery commitments are obtained from businessassociates which pose more than a low bribery risk to the organization.p) Implement controls over gifts, hospitality, donations and similar benefits to prevent them frombeing used for bribery purposes.q) Ensure that the organization does not participate in, or withdraws from, any transaction where itcannot appropriately manage the bribery risk.r) Implement reporting (whistle-blowing) procedures which encourage and enable persons to reportsuspected bribery, or any violation of or weakness in the ABMS, to the compliance function or toappropriate personnel.s) Implement procedures to investigate and deal appropriately with any suspected or actual briberyor violation of the ABMS.t) Monitor, measure and evaluate the effectiveness of the ABMS procedures.u) Undertake internal audits at planned intervals which assess whether the ABMS conforms to therequirements of ISO 37001 and is being effectively implemented.v) Undertake periodic reviews of the effectiveness of the ABMS by the compliance function and topmanagement.w) Rectify any identified problem with the ABMS, and improve the ABMS as necessary.ISO 37001 has an Annex which contains guidance to help an organization implement an anti-briberyprogramme.15.Does the organization need to comply with all of the ISO 37001 requirements?Yes. ISO 37001 specifies various anti-bribery policies and procedures which the organization mustimplement to assist it prevent bribery, and identify and deal with any bribery which does occur. Anorganization is only compliant with ISO 37001 if it has implemented all of the required measures.However, these measures should be implemented by the organization in a reasonable and6
GIACC.ISO 37001.BRIEFING NOTE.DEC 2016proportionate manner according to the type and size of the organization, and the nature and extent ofbribery risks it faces.16.Can a third party certify the organization’s compliance with ISO 37001?An organization’s compliance with ISO 37001 can be certified by an independent third party. This provides additional assurance that the organization is compliant. The risk of corrupt or negligent certification is reduced by the use of major, well known, accreditednational or international certifiers.There is no obligation on an organization to obtain independent certification to ISO 37001. Anorganization may simply ensure that its procedures are compliant with the standard. However,independent certification adds an extra level of independent assurance.17.What is the cost of implementing ISO 37001?There is likely to be a cost to an organization of implementing an ISO 37001 compliant ABMS. Theorganization needs to put sufficient resources into the design and implementation of the programmeso that it works effectively. Some organizations will already have implemented an anti-briberyprogramme which is compliant with international good practice, and in this case may not need to incurany additional expenditure. Other organizations may need only to implement some limitedenhancements. At the other end of the spectrum, some organizations may have no controls, and maytherefore need to incur the time and expense to put an effective control environment in place.The actual cost will depend on many factors such as the size of the organization, the complexity of itsstructure and operations, where it does business, the number of interactions it has with otherorganizations etc.If the organization chooses to get its programme independently certified, then there will also be thecost of certification. This cost is also likely to vary according to the size and structure of theorganization (which is the same as with e.g. ISO 9001).The co
ISO 37001 is an anti-bribery management system (ABMS) standard for organizations. It specifies various anti-bribery policies and procedures which an organization should implement to assist it prevent bribery, and identify and deal with any bribery which does occur. It is published by the International Organization for Standardization (ISO .
n ISO 37001 cannot provide absolute assurance that no bribery will occur. But can help establish that organization has implemented reasonable and proportionate anti-bribery measures. n The risk of bribery is reduced and the playing field is levelled for organizations if certification to ISO 37001 is a project pre-qualification requirement.
What is the ISO 37001 Anti-bribery Management Systems standard? –Why was it created? –How is the standard different from the FCPA? –What are its benefits? How does ISO 37001 work? –What is/are its structure, contents, principles and key concepts? How does an organization prepare for an ISO 37001 certification audit?
ISO 45001 : 2018 Health & Safety (OH&S) Management Systems ISO 37001 : 2016 Anti-Bribery Management Systems ISO 28000 : 2007 Supply Chain Security Management Systems ISO 21001 : 2018 Education Management Systems ISO 22000 : 2018 Food Safety Management Systems ISO 50001 : 2018 Energy Management Systems ISO 20000-1 : 2018 IT Service Management Part 1
Anti Bribery Management System (ISO 37001) . An anti-bribery management system (ABMS) designed to introduce an anti bribery culture within an organization and implement appropriate controls, which will in turn increase the chance of detecting bribery and reduce its
ISO 37001: Anti - Bribery Management System ISO BACKGROUND ISO is a globally recognized authority that establishes standards across a wide range of industries. ISO 37001 has been a closely monitored standard throughout it's development and it's publication opens up a new perspective on ABAC compliance:
ISO 37001: THE NEW STANDARD FOR ANTI-BRIBERY MANAGEMENT What is the focus of the standard? The ISO 37001 standard, published in October 2016, is designed to help an organization implement and maintain a proactive anti-bribery system. The standard, which replaced the British Standar
ISO 37001 is designed to help your organization implement an anti-bribery management system or enhance the controls you currently have. It requires implementing a series of measures such as adopting an anti-bribery policy, appointing someone to oversee compliance with that policy, vetting and training employees, undertaking risk
The Curriculum and Instruction Department . Mukilteo School District . Independent Daily Reading Goal: To practice reading at your independent reading level. Directions: 1. Read a book at your independent reading level. 2. Have a family member ask you 2-3 questions and discuss the story with them. 2nd Grade Fiction Questions What did you picture as you read this story? What words or phrases .